Are Code Examples on an Online Q&A Forum Reliable? A Study of - - PowerPoint PPT Presentation

Are Code Examples on an Online Q&A Forum Reliable?

Tianyi Zhang1,Ganesha Upadhyaya2, Anastasia Reinhart3, Hridesh Rajan2, Miryung Kim1

1University of California, Los Angeles 2Iowa State University 3George Fox University

1

A Study of API Misuse on Stack Overflow

Using APIs properly is a key challenge in Programming

2

e.g., Java APIs

The Status Quo of Learning APIs

3

Developers often search online for code examples to learn APIs [Sadowski et al. 2016]

The Limitation of Online Code Examples

• Programmers can only inspect a handful of search results.

[Brandt et al. 2009, Starke et al. 2009, Duala-Ekoko and Robillard 2012]

• Individual code examples may suffer from

– insecure coding practices [Fischer et al. 2017] – unchecked obsolete usage [Zhou and Walker 2016] – low readability [Treude and Robillard 2017]

4

“How do I write data to a file using FileChannel?”

5

“How do I write data to a file using FileChannel?”

6

“How do I write data to a file using FileChannel?”

7

This example forgets to close the FileChannel object properly.

“How do I write data to a file using FileChannel?”

8

“How do I write data to a file using FileChannel?”

9

This example forgets to handle potential exceptions such as IOException and FileNotFoundException.

Research Questions

• RQ1. Is API misuse prevalent on Stack Overflow?
• RQ2. Are highly voted posts more reliable?
• RQ3. What are the characteristics of API misuse?

10

Outline

• Problem Statement
• API usage mining from 380K Java Projects on GitHub
• An Empirical Study of API Misuse on Stack Overflow

11

API Usage Mining from GitHub

• We contrast SO snippets with API usage patterns mined from

380K GitHub projects.

12

Code Search Program Slicing Call Sequence Extraction Structured API call sequences Frequent Sequence Mining SMT-based Guard Condition Mining API usage patterns 380K Java Repositories on GitHub

1 2 3

Insight 1: Mining a Large Code Corpus

• Our code corpus includes 380K GitHub projects with at least 100

revisions and 2 contributors.

13

Code Search Program Slicing Call Sequence Extraction Structured API call sequences Frequent Sequence Mining SMT-based Guard Condition Mining API usage patterns 380K Java Repositories on GitHub

1 2 3

Dyer et al. Boa: A language and infrastructure for analyzing ultra-large-scale software

• repositories. ICSE 2013.

Insight 2: Removing Irrelevant Statements via Program Slicing

• We perform backward and forward slicing to identify data- and

control-dependent statements to an API method of interest.

14

Code Search Program Slicing Call Sequence Extraction Structured API call sequences Frequent Sequence Mining SMT-based Guard Condition Mining API usage patterns 380K Java Repositories on GitHub

1 2 3

15

void initInterfaceProperties(String temp, File dDir) { if(!temp.equals("props.txt")) { log.error("Wrong Template."); return; } // load default properties FileInputStream in = new FileInputStream(temp); Properties prop = new Properties(); prop.load(in); ... init properties ... // write to the property file String fPath=dDir.getAbsolutePath()+"/interface.prop"; File file = new File(fPath); if(!file.exists()) { file.createNewFile(); } FileOutputStream out = new FileOutputStream(file); prop.store(out, null); in.close(); }

GitHub example of File.createNewFile The focal API method

16

void initInterfaceProperties(String temp, File dDir) { if(!temp.equals("props.txt")) { log.error("Wrong Template."); return; } // load default properties FileInputStream in = new FileInputStream(temp); Properties prop = new Properties(); prop.load(in); ... init properties ... // write to the property file String fPath=dDir.getAbsolutePath()+"/interface.prop"; File file = new File(fPath); if(!file.exists()) { file.createNewFile(); } FileOutputStream out = new FileOutputStream(file); prop.store(out, null); in.close(); }

Data dependency up to one hop, i.e., direct dependency The focal API method

data control

17

void initInterfaceProperties(String temp, File dDir) { if(!temp.equals("props.txt")) { log.error("Wrong Template."); return; } // load default properties FileInputStream in = new FileInputStream(temp); Properties prop = new Properties(); prop.load(in); ... init properties ... // write to the property file String fPath=dDir.getAbsolutePath()+"/interface.prop"; File file = new File(fPath); if(!file.exists()) { file.createNewFile(); } FileOutputStream out = new FileOutputStream(file); prop.store(out, null); in.close(); }

Data dependency up to two hops The focal API method

data control

Insight 3: Capture Semantics Info in API Usage

• It is important to capture the temporal ordering, enclosing

control structures, and appropriate guard conditions of API calls.

18

Code Search Program Slicing Call Sequence Extraction Structured API call sequences Frequent Sequence Mining SMT-based Guard Condition Mining API usage patterns 380K Java Repositories on GitHub

1 2 3

Insight 3: Capture Semantics Info in API Usage

• It is important to capture the temporal ordering, enclosing

control structures, and appropriate guard conditions of API calls.

19

Code Search Program Slicing Call Sequence Extraction Structured API call sequences Frequent Sequence Mining SMT-based Guard Condition Mining API usage patterns 380K Java Repositories on GitHub

1 2 3 new File (String); try {; new FileInputStream(File)@arg0.exists(); } catch (IOException) {; }

Insight 3: Capture Semantics Info in API Usage

• It is important to capture the temporal ordering, enclosing

control structures, and appropriate guard conditions of API calls.

20

Code Search Program Slicing Call Sequence Extraction Structured API call sequences Frequent Sequence Mining SMT-based Guard Condition Mining API usage patterns 380K Java Repositories on GitHub

1 2 3 new File (String); try {; new FileInputStream(File)@arg0.exists(); } catch (IOException) {; }

Insight 3: Capture Semantics Info in API Usage

• It is important to capture the temporal ordering, enclosing

control structures, and appropriate guard conditions of API calls.

21

Code Search Program Slicing Call Sequence Extraction Structured API call sequences Frequent Sequence Mining SMT-based Guard Condition Mining API usage patterns 380K Java Repositories on GitHub

1 2 3 new File (String); try {; new FileInputStream(File)@arg0.exists(); } catch (IOException) {; }

Insight 3: Capture Semantics Info in API Usage

• It is important to capture the temporal ordering, enclosing

control structures, and appropriate guard conditions of API calls.

22

Code Search Program Slicing Call Sequence Extraction Structured API call sequences Frequent Sequence Mining SMT-based Guard Condition Mining API usage patterns 380K Java Repositories on GitHub

1 2 3 new File (String); try {; new FileInputStream(File)@arg0.exists(); } catch (IOException) {; }

Insight 4: Variations in Guard Conditions

• Guard conditions are canonicalized and grouped based on logical

equivalence.

23

Two equivalent guard conditions for String.substring: arg0>=0 && arg0<=rcv.length() ⇔ arg0>-1 && arg0<rcv.length()+1 Code Search Program Slicing Call Sequence Extraction Structured API call sequences Frequent Sequence Mining SMT-based Guard Condition Mining 380K Java Repositories on GitHub

1 2 3

Insight 4: Variations in Guard Conditions

• Guard conditions are canonicalized and grouped based on logical

equivalence.

24

Two equivalent guard conditions for String.substring: arg0>=0 && arg0<=rcv.length() ⇔ arg0>-1 && arg0<rcv.length()+1 Code Search Program Slicing Call Sequence Extraction Structured API call sequences Frequent Sequence Mining SMT-based Guard Condition Mining 380K Java Repositories on GitHub

1 2 3

Insight 4: Variations in Guard Conditions

• Guard conditions are canonicalized and grouped based on logical

equivalence.

25

Two equivalent guard conditions for String.substring: arg0>=0 && arg0<=rcv.length() ⇔ arg0>-1 && arg0<rcv.length()+1 Code Search Program Slicing Call Sequence Extraction Structured API call sequences Frequent Sequence Mining SMT-based Guard Condition Mining 380K Java Repositories on GitHub

1 2 3

Insight 4: Variations in Guard Conditions

• We use Z3 to prove the logic equivalence of guard conditions.
• p ⇔ q is valid iff. ¬((¬p ∨ q) ∧ (p ∨ ¬q)) is UNSAT.

26

if (start>=0 && start<=s.length()) { s.substring(start); } if (i>-1 && i<log.length()+1) { log.substring(i); } p : arg0>=0 && arg0<=rcv.length() q : arg0>-1 && arg0<rcv.length()+1

Outline

• Problem Statement
• API usage mining from 380K Java Projects on GitHub
• An Empirical Study of API Misuse on Stack Overflow

27

Data Set: API Usage Patterns

• We learn 245 API usage patterns of 100 Java API methods.
• We manually inspect these patterns.
• 180 patterns can be confirmed by online documentation.

28

API method Pattern ArrayList.list loop {; get(int)@arg0<rcv.size(); } Scanner.nextLine loop {; nextLine()@rcv.hasNextLine(); } SQLiteDatabase.query query(…)@true; close()@true TypedArray.getString getString(int)@true; recycle()@true FileChannel.write try {; write(ByteBuffer)@true; }; catch(IOException) {; }

Data Set: SO Posts

• We extract code snippets in the markdown <code> from the SO

posts with the Java tag.

• We parse and analyze these snippets using a partial program

parsing and type resolution technique, JavaBaker.

• We find 217,818 SO posts with code snippets that use the 100 Java

API methods in our study scope.

29

Siddharth Subramanian, Laura Inozemtseva, and Reid Holmes. Live API

• Documentation. ICSE 2014.

Method of API Misuse Detection

• We examine 220K SO posts with 180 confirmed patterns.

30

java Stack Overflow snippets Subsequence Check Call Sequence Extraction Guard Condition Check Structured API call sequences 180 Valid Patterns API usage violations

Dataset: http://web.cs.ucla.edu/~tianyi.zhang/examplecheck.html

query pattern(s)

Method of API Misuse Detection

• We examine 220K SO posts with 180 confirmed patterns.

31

java Stack Overflow snippets Subsequence Check Call Sequence Extraction Guard Condition Check Structured API call sequences 180 Valid Patterns API usage violations

Dataset: http://web.cs.ucla.edu/~tianyi.zhang/examplecheck.html

query pattern(s)

Method of API Misuse Detection

• We examine 220K SO posts with 180 confirmed patterns.

32

java Stack Overflow snippets Subsequence Check Call Sequence Extraction Guard Condition Check Structured API call sequences 180 Valid Patterns API usage violations

Dataset: http://web.cs.ucla.edu/~tianyi.zhang/examplecheck.html

query pattern(s)

Method of API Misuse Detection

• We examine 220K SO posts with 180 confirmed patterns.

33

java Stack Overflow snippets Subsequence Check Call Sequence Extraction Guard Condition Check Structured API call sequences 180 Valid Patterns API usage violations

Dataset: http://web.cs.ucla.edu/~tianyi.zhang/examplecheck.html

query pattern(s)

Method of API Misuse Detection

• We examine 220K SO posts with 180 confirmed patterns.

34

java Stack Overflow snippets Subsequence Check Call Sequence Extraction Guard Condition Check Structured API call sequences 180 Valid Patterns API usage violations

Dataset: http://web.cs.ucla.edu/~tianyi.zhang/examplecheck.html

query pattern(s)

• RQ1. Is API Misuse Prevalent on Stack Overflow?
• 31% of SO posts contain API usage violations.
• Two authors independently inspected 400 SO posts with

reported API usage violations.

• 289 posts (72%) can negatively impact on production code.

35

36

public ArrayList get_user_by_id(String id) { ArrayList listUserInfo = new ArrayList(); SQLiteDatabase db = this.getReadableDatabase(); Cursor cursor = db.query(...); if (cursor != null) { while (cursor.moveToNext()) { UserInfo userInfo = new UserInfo(); userInfo.setAppId(cursor.getString(cursor.getColumnIndex( COLUMN_APP_ID))); // HERE YOU CAN MULTIPLE RECORD AND ADD TO LIST 11 listUserInfo.add(userInfo); } } return listUserInfo; }

A code example of getting data from SQLite database in Android [Post ID 31531250]

A Cursor object is created but never released.

37

public ArrayList get_user_by_id(String id) { ArrayList listUserInfo = new ArrayList(); SQLiteDatabase db = this.getReadableDatabase(); Cursor cursor = db.query(...); if (cursor != null) { while (cursor.moveToNext()) { UserInfo userInfo = new UserInfo(); userInfo.setAppId(cursor.getString(cursor.getColumnIndex( COLUMN_APP_ID))); // HERE YOU CAN MULTIPLE RECORD AND ADD TO LIST 11 listUserInfo.add(userInfo); } } return listUserInfo; }

A code example of getting data from SQLite database in Android [Post ID 31531250]

A Cursor object is created but never released.

38

public ArrayList get_user_by_id(String id) { ArrayList listUserInfo = new ArrayList(); SQLiteDatabase db = this.getReadableDatabase(); Cursor cursor = db.query(...); if (cursor != null) { while (cursor.moveToNext()) { UserInfo userInfo = new UserInfo(); userInfo.setAppId(cursor.getString(cursor.getColumnIndex( COLUMN_APP_ID))); // HERE YOU CAN MULTIPLE RECORD AND ADD TO LIST 11 listUserInfo.add(userInfo); } } return listUserInfo; }

A code example of getting data from SQLite database in Android [Post ID 31531250]

A Cursor object is created but never released.

39

public ArrayList get_user_by_id(String id) { ArrayList listUserInfo = new ArrayList(); SQLiteDatabase db = this.getReadableDatabase(); Cursor cursor = db.query(...); if (cursor != null) { while (cursor.moveToNext()) { UserInfo userInfo = new UserInfo(); userInfo.setAppId(cursor.getString(cursor.getColumnIndex( COLUMN_APP_ID))); // HERE YOU CAN MULTIPLE RECORD AND ADD TO LIST 11 listUserInfo.add(userInfo); } } return listUserInfo; }

A code example of getting data from SQLite database in Android [Post ID 31531250]

A Cursor object is created but never released.

40

public ArrayList get_user_by_id(String id) { ArrayList listUserInfo = new ArrayList(); SQLiteDatabase db = this.getReadableDatabase(); Cursor cursor = db.query(...); if (cursor != null) { while (cursor.moveToNext()) { UserInfo userInfo = new UserInfo(); userInfo.setAppId(cursor.getString(cursor.getColumnIndex( COLUMN_APP_ID))); // HERE YOU CAN MULTIPLE RECORD AND ADD TO LIST 11 listUserInfo.add(userInfo); } } return listUserInfo; }

A code example of getting data from SQLite database in Android [Post ID 31531250]

A Cursor object is created but never released.

• RQ1. Is API Misuse Prevalent on Stack Overflow?
• Many SO snippets use hardcoded input for illustration.
• They may crash with real-world input data.

41

String text = "<img src=\"mysrc\" width=\"128\" height=\"92\" border=\"0\" alt=\"alt\" /><p><strong>"; text = text.substring(text.indexOf("src=\"")); text = text.substring("src=\"".length()); text = text.substring(0, text.indexOf("\"")); System.out.println(text);

A code example of extracting the src field from a html string [Post ID 12742734]

• RQ1. Is API Misuse Prevalent on Stack Overflow?
• Many SO snippets use hardcoded input for illustration.
• They may crash with real-world input data.

42

String text = "<img src=\"mysrc\" width=\"128\" height=\"92\" border=\"0\" alt=\"alt\" /><p><strong>"; text = text.substring(text.indexOf("src=\"")); text = text.substring("src=\"".length()); text = text.substring(0, text.indexOf("\"")); System.out.println(text);

A code example of extracting the src field from a html string [Post ID 12742734]

• Highly-voted posts are not necessarily more reliable in terms
• f correct API usage.
• RQ2. Are highly voted posts more reliable?

43

• RQ3. What are characteristics of API misuse?
• API misuse is caused by three main reasons---missing control

structures, missing or incorrect order of API calls, and incorrect guard conditions.

44

Cursor emails = db.query(Email.CONTENT_URI,...); while (emails.moveToNext()) { String email = emails.getString(..); } emails.close();

Missing finally block [Post ID 31427468]

• RQ3. What are characteristics of API misuse?
• API misuse is caused by three main reasons---missing control

structures, missing or incorrect order of API calls, and incorrect guard conditions.

45

Cursor emails = db.query(Email.CONTENT_URI,...); while (emails.moveToNext()) { String email = emails.getString(..); } emails.close();

Missing finally block [Post ID 31427468]

• RQ3. What are characteristics of API misuse?
• API misuse is caused by three main reasons---missing control

structures, missing or incorrect order of API calls, and incorrect guard conditions.

46

ByteBuffer bb = ByteBuffer.allocate(4); bb.put(newArgb); int i = bb.getInt();

Missing an API call, bb.flip() [Post ID 12100651]

• RQ3. What are characteristics of API misuse?
• API misuse is caused by three main reasons---missing control

structures, missing or incorrect order of API calls, and incorrect guard conditions.

47

TreeMap map = new TreeMap(); //OR SortedMap map = new //TreeMap(); map.firstKey();

Incorrect guard condition, !map.isEmpty() [Post ID 21983867]

• RQ3. What are characteristics of API misuse?
• Network, database, IO, crypto, string manipulation APIs are

more likely to be misused.

48

ExampleCheck: Checking API Misuse in Stack Overflow using Patterns Mined from GitHub

49

50

ExampleCheck: Checking API Misuse in Stack Overflow using Patterns Mined from GitHub

https://chrome.google.com/webstore/detail/examplecheck/amliempeb ckaiaklimcpopomlnklkioe

Examplore: Visualizing API Usage Examples at Scale [CHI 2018]

• Examplore visualizes API usage features in hundreds of code

examples along with their statistical distribution in histograms.

51

Tool: http://examplore.cs.ucla.edu:3000/

Our Contributions

• An API usage mining technique that extracts patterns from
• ver 380K GitHub projects
• A large-scale empirical study of API misuse in 220K SO posts
• A Chrome extension that augments Stack Overflow with API

usage patterns mined from GitHub

52